By now, most CIOs in a higher education context know that cybersecurity is important. Cybersecurity continues to top the list of EDUCAUSE Top 10 IT issues; in fact, 2019 marks the fourth year in a row that this topic is in the pole position. While the specifics have changed slightly—in 2019, for example, “Information Security Strategy” is the number one concern compared to 2018’s “Information Security”—the implication should be obvious: information security (cybersecurity) is important and continues to be so.

There are a few reasons why this topic is so important for postsecondary education. First and most obviously, there’s the goal of minimizing the likelihood of a data breach. But more than that, it can be an existential threat. If that sounds like hyperbole, consider recent guidance from the U.S. Department of Education underscoring the contingency of Title IV funding on certain cybersecurity standards. They’ve said that, at a minimum, the protections required under the Gramm-Leach-Bliley Act (GLBA – 15 U.S. Code § 6801) are mandatory for Title IV eligibility. They’ve also highlighted guidance available from NIST in SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” as an important consideration.

Steps to Get Started

The point of all this is that it’s important—and becoming more so—that we get cybersecurity right. But, quite frankly, even getting started can be a difficult proposition for many higher education CIOs. Why? A few reasons. First, appropriate levels of investment, in both time and dollars, can sometimes be hard to come by. Second, factors such as a culture of openness and free exchange of information can work contrary to security goals. Third, the technology landscape of higher education is diverse and heterogeneous, often leveraging open-source tools and disparate platforms, both on premises and in the cloud. All these elements, combined with the desire to cultivate and retain faculty in a highly competitive environment, means that it can be difficult to know how to get started and where to invest limited resources.

With this in mind, it’s valuable to outline a few strategies that institutions can employ to bolster their cybersecurity programs at an executive level. These are not the only steps, but these are the steps that will absolutely provide value, regardless of the institution’s current cybersecurity maturity, resources, and personnel. Meaning, every institution can undertake these steps, and any institution that does so—regardless of culture or the nuances of the particular institution—will derive value from them.

1. Improve (or Begin) Risk Management

The first thing an institution can do is improve its ability to systematically assess, monitor, and manage their risk. If they are not already doing this, they can begin the process. There are a number of different approaches that an institution can use to do this—some qualitative (e.g., by assigning “fuzzy” levels like “low/medium/high” into a risk register), some quantitative (i.e., using numeric scores)—but the important part is to do something to try to understand risk and to come up with ways to control it and track progress over time. There are a number of tools and methodologies available to do this: one approach is outlined in NIST’s SP 800-39, but there are numerous others, including OCTAVE and COBIT 5 for Risk.

There are a few reasons why this is valuable. First, it’s valuable because it’s required for GLBA compliance and because risk assessment is one of the areas directly covered by SP 800-171 (section 3.11) as referenced in the Department of Education guidance. But it’s not just useful from a compliance perspective; it’s also useful because it can help direct resources and investment. By understanding what the relative risks to the institution are—and being able to prioritize them according to a systematic methodology—the most pressing areas (some technical some not) can be identified and resources directed accordingly.

2. Assign an Owner

Frankly, it can be challenging to ensure that the right cybersecurity steps are taken and processes are in place when security isn’t anybody’s “day job”—i.e., when the responsibility is shared, when it’s a part-time responsibility (in addition to other tasks), or, worse yet, when it’s not directly allocated at all. If no resource is yet assigned to oversee information security responsibility, it’s a good idea to assign one. This helps to make sure there is someone directly accountable for the work being done, to ensure that it stays in the forefront of someone’s mind and area of responsibility. If someone is already dedicated to the function, that person must have sufficient resources available (in personnel and dollars) to perform the role. This works synergistically with step 1 (risk management) activities assigned above, as the security owner can help keep risk assessments current, can track and report progress over time, and can keep management apprised when situations and assumptions change.

3. Selectively Leverage Outsourced Relationships

Quite frankly, only the largest institutions will have the available resources, funds, and staff to invest in covering all the bases. SP 800-171 alone, for example, outlines 14 different requirements (Chapter 3) in ensuring that the baseline goals are met. Depending on what is discovered during the risk assessment process, there are likely to be many more—including areas specific to the institution. This means that, as a practical matter, gaining outside assistance can be beneficial. Certain tasks—security awareness (e.g., phishing simulation and security training), threat intelligence gathering, vulnerability assessment, and more—allow institutions to leverage economies of scale to get a higher level of service (at a comparatively lower cost) than building that capability internally. Other tasks, like penetration testing and BCP/DR, require specialized expertise that is difficult or expensive to acquire in a full-time resource; and even if those skills are acquired, they can be expensive to maintain over time. Therefore, external providers that specialize in these areas—particularly when they are already familiar with higher education—can provide significant value. As you can see, none of these items are “rocket science.” They can, however, immediately and concretely provide value to those institutions seeking to bolster their cybersecurity efforts. And, as we outlined in the beginning, this is becoming more and more important with each passing day.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The Tambellini Group. To express your views in this forum, please contact Hilary Billingslea, Director, Marketing Communications & Operations, The Tambellini Group.